Creating Bi-Directional Firewall Policies

Updated by Richard Seroter on Dec 12, 2012
Article Code: n1021

Description:

CenturyLink Cloud Platform firewall policies make it simple to connect networks within a given account or across accounts. Firewall policies are inherently one-way, but it is very straightforward to craft a pair of policies that enable bi-directional communication.
This walkthrough builds upon the servers, networks and policies built in the KB article entitled Connecting Data Center Networks Through Firewall Policies.

Steps:

1. Confirm that you have two servers in two different networks.

In the KB article reference above, there was a parent account and a sub-account, and a network and server in each. Below, see that two distinct networks exist in this demonstration.

There are also two servers in this demonstration, each on a different network.

2. Build a pair of policies that enable network communication in both directions.

Check the existing firewall policies by navigating to the Firewall menu item under the Network menu. From the previous KB article walkthrough, there should be a single firewall policy that makes it possible
for the server in the parent account's network to ping a server in the sub-account's network.

This traffic is one-way only. To confirm this, attempt to ping the server in the parent account from the server in the sub-account. Notice that the request times out because network traffic is not allowed from the child network to the parent.

In order to allow servers in the sub-account's network to communicate with servers in the parent account's network, another firewall policy must be created.

Switch the Source Account and Destination Account values at the top of the page to reflect the sub-account as the source and parent account as the destination.

Click the add policy button and add a firewall policy that allows traffic from (restricted) IP addresses in the sub-account network to (restricted) IP addresses in the parent account network.

Save the firewall policy.

3. Confirm that the policies are working.

From the server in the sub-account's network, once again attempt to ping the server in the parent account's network.

As expected, the traffic is now configured to travel in both directions between the networks. So in order to create bi-directional network communication, create two firewall policies overall.

Thank you for your submission. A representative will be reaching out to you within 24 hours.

First Name

Last Name

Email

Phone Number

Company (optional)

Job Title (optional)

Comments (optional)

What type of support do you need?

We have expert agents ready to assist you,
whether you're using Cloud Application Manager or any one of
the services available on the CenturyLink Cloud platform.
Click below to be directed to the appropriate team.